The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a https://www.openssl.org/news/secadv/20230328.txt
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2182603] Affects: fedora-37 [bug 2182608] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182604] Affects: fedora-37 [bug 2182609] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182605] Affects: fedora-37 [bug 2182610] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2182606] Affects: fedora-37 [bug 2182611] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2182601] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2182602] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2182607] Affects: fedora-37 [bug 2182612]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0466
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626